“So, How Will You Audit a

Risk Assessment in
ISO 9001:2015?”

Bob Deysher
Senior Consultant
Quality Support Group, Inc.
bob.deysher@qualitysupportgroup.com
© ©2017
2017 QSG,
QSG,Inc.
Inc.
 Questions?
•  Does ISO 9001:2015 “Risk Based
Thinking” require Risk Registers?
No!

•  If there isn’t a “Risk Register” how do

you audit an organization against ISO
9001:2015?
With Great Difficulty !

© 2017 QSG, Inc. 2

So What Does ISO 9001:2015
Require?

© 2017 QSG, Inc. 3

ISO 9001:2015 Risk & Opportunities
4.4 Quality management system and its processes
The organization shall establish, implement, maintain and
continually improve a quality management system,
including the processes needed and their interactions, in
accordance with the requirements of this International
Standard.

The organization shall determine the processes needed

for the quality management system and their application
throughout the organization and shall determine:
f) the risks and opportunities in accordance with the
requirements of 6.1, and plan and implement the
appropriate actions to address them;
© 2017 QSG, Inc. 4
ISO 9001:2015 Risk & Opportunities
6 Planning for the quality management system
6.1 Actions to address risks and opportunities
6.1.1 When planning for the quality management system,
the organization shall consider the issues referred to
in 4.1 and the requirements referred to in 4.2 and
determine the risks and opportunities that need to be
addressed to:
a) give assurance that the quality management
system can achieve its intended result(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement.

© 2017 QSG, Inc. 5

ISO 9001:2015 Risk & Opportunities
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its
quality management system processes (see
4.4);
2) evaluate the effectiveness of these actions.(*)
Actions taken to address risks and opportunities shall be
proportionate to the potential impact on the conformity of
products and services.
(*) Sounds like ISO 9001:2008 Clause 8.5.3

© 2017 QSG, Inc. 6

What is Risk Based Thinking?

© 2017 QSG, Inc. 7

 What is “Risk-Based Thinking”?
•  Risk-based thinking is something we all do automatically and
often sub-consciously
•  The concept of risk has always been implicit in ISO 9001 – the
2015 revision makes it more explicit and builds it into the whole
management system
•  Risk-based thinking is already part of the process approach
•  Risk-based thinking makes preventive action part of the routine

•  Risk is often thought of only in the negative sense. Risk-based

thinking can also help to identify opportunities. This can be
considered to be the positive side of risk

© 2017 QSG, Inc. 8

 Why Should I adopt “Risk-Based
Thinking”?
•  To improve customer confidence and
satisfaction
•  To assure consistency of quality of goods and
services
•  To establish a proactive culture of prevention
and improvement
•  Successful companies intuitively take a risk-
based approach
© 2017 QSG, Inc. 9
 What Should I Do? (continued)
•  Analyse and prioritize the risks and opportunities in
your organization
–  what is acceptable?
–  what is unacceptable?

•  Plan actions to address the risks

–  how can I avoid or eliminate the risk?
–  how can I mitigate the risk?

•  Implement the plan – take action

•  Check the effectiveness of the actions – does it work?
•  Learn from experience – continual improvement

© 2017 QSG, Inc. 10

 So Where to Start?

How About Management

Review?

© 2017 QSG, Inc. 11

 Management Review Input
Top management shall review the organization’s
quality management system, at planned intervals, to
ensure its continuing suitability, adequacy,
effectiveness and alignment with the strategic direction
of the organization.

The management review shall be planned and carried

out taking into consideration:
e) the effectiveness of actions taken to address risks
and opportunities (see clause 6.1);

© 2017 QSG, Inc. 12

 What is Risk?

Risk is the possibility of events or

activities impeding the achievement of an
organization’s strategic and operational
objectives.

© 2017 QSG, Inc. 13

 Risk – A Simple Definition

The volatility of potential outcomes.

or

How surprised do you really want to be??

© 2017 QSG, Inc. 14

 Food for Thought
•  Why is Risk like Swiss Cheese?

Author needs to acknowledge that this idea was shown at the NQA Meeting,
Boston Session, August 2014

© 2017 QSG, Inc. 15

What if the Organization Does
not use Risk Registers?

What “Evidence” to look for?

© 2017 QSG, Inc. 16

 What is an Auditor to Do?
You need to test how they have used the
information relating to their internal and
external issues and interested parties to
determine risks and opportunities as well
as the decision making process they have
gone through to decide what actions they
are going to take.

© 2017 QSG, Inc. 17

 ISO 9001:2015 Risk Based Thinking Examples
Item Clause Risk Based Thinking Demonstration
Quality Management Evidence is how issues taken from either the external or internal
System 4.4 environment are evaluated and appropriate actions taken in the
implementation and maintenance of an organization's QMS
Changes to the Quality Evidence is how risk and opportunities are used in the decision to
Management System 6.3 change the quality management system
Business Opportunities Evidence is how risk and opportunities are used in the decision to
8.2 pursue new business initiatives
Design & Development Evidence is how risk based thinking is used in the planning and then
Planning 8.3.1 translated into verification and validation activities
Design & Development Evidence is using risk to determine the necessary evidence to be
Change Control 8.3.6 obtained and required to evaluate the effectiveness of the change
Control of Externally Evidence is using risk to determine the type and level of control
provided Processes, 8.4.2 implemented to assure that processes, products and services
Products, and Services provided by suppliers do not impact quality
Product & Service Evidence is how risk based thinking is used in the planning and then
Provisions Planning 8.5.1 the implementation of the provisions
Production & Service Evidence is using risk to determine the necessary evidence to be
Provisions Change 8.5.6 obtained and required to evaluate the effectiveness of the change
Control
Internal Audit Evidence of risk based thinking is using risk arising from previous
9.2 audits, changes in technology, materials changes, current issues to
adjust planned intervals
Management Review Evidence of risk based thinking are decisions made in a review of
9.3 actions taken for identified risks and opportunities

© 2017 QSG, Inc. 18

What if the Organization Does
use Risk Registers?

What “Evidence” to look for?

© 2017 QSG, Inc. 19

 Risk Definitions
Risk can be defined by two (2)
parameters
–  Severity
•  This is the Seriousness of the harm

–  Probability
•  This is the Probability that the harm will occur

© 2017 QSG, Inc. 20

Risk Assessment - Quantitative

Severity of Harm Probability of Occurrence

S-5 Catastrophic O-5 Frequent
S-4 Critical O-4 Probable
S-3 Marginal O-3 Occasional
S-2 Negligible O-2 Remote
S-1 Minor O-1 Improbable

© 2017 QSG, Inc. 21

Risk Acceptable Regions
Generally
Un-Acceptable

As Low As
“Reasonably”
Practical

Generally
Acceptable
© 2017 QSG, Inc. 22
Risk Assessment - Qualitative

© 2017 QSG, Inc. 23

Risk Registers

© 2017 QSG, Inc. 24

 The Importance of a Risk Register

•  The risk register or risk log becomes

essential as it records identified risks, their
severity, and the actions steps to be taken.
•  It can be a simple document, spreadsheet,
or a database system, but the most effective
format is a table.
•  A table presents a great deal of information
in just a few pages.

© 2017 QSG, Inc. 25

Proposed Risk Model

Let’s look at Risk Definitions

© 2017 QSG, Inc. 26

 Risk Definitions
A risk is a specific event that could happen at
some point in the future
•  “Insufficient test resources” is not a risk
•  “Project is delayed because of insufficient test
resources” is a risk

•  “Aging work force” is not a risk

•  “Loss of Organizational Knowledge due to
retirements of our aging work force” is a risk
© 2017 QSG, Inc. 27
Proposed Risk Model

Let’s look at Risk Scoring

© 2017 QSG, Inc. 28

 Scoring Clarity
Severity of Harm Probability of Occurrence
S-5 Catastrophic O-5 Frequent
S-4 Critical O-4 Probable
S-3 Marginal O-3 Occasional
S-2 Negligible O-2 Remote
S-1 Minor O-1 Improbable

Categories, like the ones above, can be interpreted

differently by different individuals. Prior agreement prior to
scoring is critical and will mitigate later discussions about
which issues to address

© 2017 QSG, Inc. 29

Probability Scoring Example
LIKELIHOOD/PROBABILITY OF OCCURRENCE

Annual Frequency Probability

Rating Description Definition (Example)

1 Rare, very unlikely <10% chance of occurrence over life

2 Unlikely, seldom 10% - 35% chance of occurrence

3 Possible 35% - 65% chance of occurrence

4 Likely 65% - 90% chance of occurrence

5 Almost Certain 90% or greater chance of occurrence

© 2017 QSG, Inc. 30

 Severity
Disruption to
Financial Reputation Day-to-Day Impact to Impact on
Rating Description
Consequence Impact Operations/ Employees Customers
Productivity
Very low number of
Not reported in Little to no tangible No noticeable
1 Insignificant Below $xxxx dissaisfied
major media outlets disruption impact
customers
Minor disruption Inconvenience or
Reported in local that is limited to upsets a modest Few customers in
2 Minor/ Small $xxxx - $yyyy media but can be only a few number of multiple business
managed departments or employees but no areas dissatisfied
employees lasting impact
Causes notable
Major disruption to
concern and/or
Reported in a limited number of
causes rumors to
national media and employees or Many customers
circulate. Adversely
creates immediate departments, or dissatisfied and you
3 Moderate /Medium $yyyy to $zzzz
need for response. minor disruption
affecting ability of
must take action to
employees in
Damage expected affecting large address directly
multiple
to last < 3-6 months number of
departments to
employees
perform job duties
Reported globally Negative impact
and results in PR requires
crisis, requiring coordinated
Major disruption Many customers
coordination with management
that affects large dissatisfied.
and crisis, requiring response to
4 Major/Critical $zzzz to $aaaa
coordination with
number of
assuage fears.
Dissatisfaction
employees but is of leads to business
and direction from Persistent rumors
limited duration losses
OT to address. have short mid-
Damage expected term impact on
to last < 1 year corporate culture
Reported globally, Create widespread
Many customers
for prolonged panic and/or
Major disruption cancel
period, and results confusion. Reduces
that affects large business/stop
in major PR crisis. morale across the
Financial number of purchasing.
Severe/ Requires sustained company and
5 Consequence employees and is Dissatisfaction
Catastrophoric and ongoing efforts negatively changes
exceeds $aaaa expected to last for leads to
to manage. employee
a prolonged period direct/immediate
Significant long- perception of the
of time loss of very crucial
term damage to the company on a
business
brand permanent basis

© 2017 QSG, Inc. 31

 Proposed Risk Model - Populated

Deysher Manufacturing LLC - Risk Register

Date -

Key Process Initial Update New New New

Name Risk Item Sev Prob Risk Action Plan
Step Date Date Sev Prob Risk

Step 1 Risk Item 1-1 3 3 9 ALARP 0

Risk Item 1-2 2 2 4 No Plan Required 0
Risk Item 1-3 4 5 20 Action Plan Required 0
Risk Item 1-4 1 5 5 Verify Probability; if OK then ALARP 0
0 0
Step 2 Risk Item 2-1 5 3 15 Action Plan Required 0
Risk Item 2-2 3 2 6 ALARP 0
Risk Item 2-3 1 4 4 Verify Probability, then No Plan Required 0
0 0
Step 3 Risk Item 3-1 4 4 16 Action Plan Required 0
Risk Item 3-2 3 3 9 ALARP 0
Risk Item 3-3 2 5 10 Verify Probability, then No Plan Required 0
Risk Item 3-4 2 2 4 No Plan Required 0
Risk Item 3-5 3 1 3 No Plan Required 0

Let’s look at Action Planning

© 2017 QSG, Inc.

 Can ISO 9001:2015 Provide
Guidance?
•  NOTE 1 Options to address risks can include
avoiding risk, taking risk in order to pursue an
opportunity, eliminating the risk source, changing the
likelihood or consequences, sharing the risk, or
retaining risk by informed decision.
•  NOTE 2 Opportunities can lead to the adoption of
new practices, launching new products, opening new
markets, addressing new customers, building
partnerships, using new technology and other
desirable and viable possibilities to address the
organization’s or its customers’ needs.
© 2017 QSG, Inc. 33
Proposed Risk Model - Populated

Let’s look at Effectiveness

New Risk Value
Post Action Plans

© 2017 QSG, Inc.

 Effectiveness
•  Rescore Severity & Probability looking
for improvement
•  Add the improvement into the continual
planning and implementation of the
process
•  Roll up all effectiveness of actions taken
to Management Review

© 2017 QSG, Inc. 35

 But What About FMEA’s?
•  Review the requirements in ISO 9001:2015, Clause 6
•  Do your FMEA’s integrate Context of the Organization
as well as Needs and Expectations of Interested
Parties information (as well as Risks of the
Processes)
•  If YES, use them but remember you are to assess risk
across your entire Quality Management System.
•  ISO 9001:2015 is a process /system standard, not a
product or service standard

© 2017 QSG, Inc. 36

 Food for Thought
•  Why is Risk like Swiss Cheese?

Author needs to acknowledge that this idea was shown at the NQA Meeting,
Boston Session, August 2014

© 2017 QSG, Inc. 37

Addressing Risk

© 2017 QSG, Inc. 38

Integrating Risk Based Thinking with
the Process Approach and PDCA

© 2017 QSG, Inc. 39

 Plan-Do-Check-Act
The Plan-Do-Check-Act (PDCA) methodology can be
a useful tool to define, implement and control
corrective actions and improvements. Extensive
literature exists about the PDCA cycle in numerous
languages.

Act Plan
•How to improve •What to do?
next time? •How to do it?

Check Do
• Did things happen •Do what was
according to plan? planned

© 2017 QSG, Inc. 40

 Process + Risk + PDCA Model
Act-
Incorporate Plan the process
improvements (Extent of planning
Interaction with other process

Interaction with other process

as necessary depends on RISK)

INPUTS Do – Carry out the OUTPUTS

process

Check – monitor/measure
process performance

© 2017 QSG, Inc. 41

 Conclusions
•  Risk Based Thinking is an element in the Process
Approach
•  Risk Based Thinking is an input to Management
Review
•  Risk Based Thinking is an element in the continual
improvement process that is focused on prevention.
•  Risk Based Thinking has be be demonstrated during
audits; a risk register is documented information that
validates an organization has done Risk Based
Thinking.
•  I use Risk Registers with all my clients; it is a living
document

© 2017 QSG, Inc. 42

 Final Thoughts
How about “Opportunity Based Thinking”?

How about replacing “Severity” with

“Benefits”?

© 2017 QSG, Inc. 43

Questions???

© 2017 QSG, Inc. 44